Implement new firewall dom0->VM interface

[marmarek]

This is placeholder for the outcome of this discussion: https://groups.google.com/d/msgid/qubes-devel/20160114163808.GW4892%40mail-itl

[adrelanos]

The outcome is... Quote @marmarek:

1. have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all [comment by me: --> #1854]
2. ease integration of "qubes firewall rules" with other firewalls (like Whonix one) [comment by me: this ticket]

[adrelanos]

The outcome is... Quote @marmarek:

1. have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all [comment by me: --> #1854]
2. ease integration of "qubes firewall rules" with other firewalls (like Whonix one) [comment by me: this ticket]

[andrewdavidwong]

Questions pertaining to using Whonix with firewall rules keep coming up, so I'm providing a response here so that I can direct people to this issue:

Whonix-Gateway does not currently support firewall rules. This is a known issue, which I brought up here and here, which branched off here and is being tracked in #1815 (this issue) and here.

Short answer: For now, there's no way to enforce firewall rules for a VM using a whonix-gw as its NetVM, but a solution is in the works.

[andrewdavidwong]

Questions pertaining to using Whonix with firewall rules keep coming up, so I'm providing a response here so that I can direct people to this issue:

Whonix-Gateway does not currently support firewall rules. This is a known issue, which I brought up here and here, which branched off here and is being tracked in #1815 (this issue) and here.

Short answer: For now, there's no way to enforce firewall rules for a VM using a whonix-gw as its NetVM, but a solution is in the works.

[marmarek]

I've documented new (yet to be implemented) interface for firewall rules:
https://www.qubes-os.org/doc/vm-interface/

As for implementation (in the VM), I plan to replace current iptables-based qubes-firewall script, with nftables one. Thanks to independent tables it will allow to avoid interference between different firewall tools. For example it will allow to respect those rules by Whonix Gateway, without breaking Whonix firewall.
This is somehow extended idea of #974
/cc @adrelanos

[marmarek]

I've documented new (yet to be implemented) interface for firewall rules:
https://www.qubes-os.org/doc/vm-interface/

As for implementation (in the VM), I plan to replace current iptables-based qubes-firewall script, with nftables one. Thanks to independent tables it will allow to avoid interference between different firewall tools. For example it will allow to respect those rules by Whonix Gateway, without breaking Whonix firewall.
This is somehow extended idea of #974
/cc @adrelanos

[ubestemt]

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

[ubestemt]

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

[andrewdavidwong]

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

Sounds like this is covered by #2003.

[andrewdavidwong]

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

Sounds like this is covered by #2003.

[qubesos-bot]

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update